Difference between revisions for Users / Eo Ny / dev
Overview
The
Http class (src/class/http.php) is a core component of the WackoWiki system responsible for handling HTTP request/response processing, session management, caching, and security features. This class acts as a bridge between the web server and the wiki engine.File Location:
src/class/http.php Language: PHP
Dependencies: Database class, Session classes, Utility classes (
Ut), Diagnostics class (Diag)Class Properties
====Public Properties====
Private Properties
| <! |
|
| <! |
=== <!--markup:1:begin-->|| ||<!--markup:1:end--> Constructor ===
php<!--markup:1:end--> <!--markup:2:begin-->
**Purpose:** Initializes the Http object and sets up HTTP session handling. **Parameters: <!--markup:1:begin-->|| ||<!--markup:1:end-->** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##$db## - Database object reference **Initialization Steps:** 1.** <!--markup:1:begin-->|| ||<!--markup:1:end--> Stores database reference 2. <!--markup:1:begin-->|| ||<!--markup:1:end--> Extracts and normalizes REQUEST_URI 3. Detects TLS/HTTPS session status 4. Determines client's real IP address 5. <!--markup:1:begin-->|| ||<!--markup:1:end--> Sets up TLS mark cookie name 6. <!--markup:1:begin-->|| ||<!--markup:1:end--> Enforces TLS session upgrade if needed **Example: <!--markup:1:begin-->|| ||<!--markup:1:end-->** <!--markup:1:begin-->|| ||
<!--markup:2:end-->
$http = new Http($db);
Core Methods
Session Management
session($route): void
Initializes **Parameters:
- **
|| ||$route(int) - Routing flag: -
|| ||Bit 2 ($route & 2): Enable static mode for files/freecap (disables replay prevention and ID regeneration)
Features:
- Selects storage backend (file or database)
-
|| ||Configures cookie settings (security, path, httponly) -
|| ||Binds IP and TLS validation -
|| ||Recovers diagnostic logs from previous session
**Example:
php<!--markup:1:end-->** <!--markup:2:begin-->
$http->session(2); // Static file serving mode
---- ==== <!--markup:1:begin-->|| ||<!--markup:1:end--> Caching System ==== ===== ##check_cache($page, $method): void## ===== Determines if a page can be cached and prepares the cache check. **Parameters:** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##$page## (string) - Page name to cache - ##$method## (string) - Request method/action (e.g., 'show', 'edit') **Caching Rules:** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ✅ Enabled for GET requests only - <!--markup:1:begin-->|| ||<!--markup:1:end--> ✅ Disabled for POST requests - <!--markup:1:begin-->|| ||<!--markup:1:end--> ❌ Never cached for 'edit' or 'watch' methods - <!--markup:1:begin-->|| ||<!--markup:1:end--> ✅ Only cached for anonymous users (no logged-in users) **Example: <!--markup:1:begin-->|| ||<!--markup:1:end-->** <!--markup:1:begin-->|| ||
<!--markup:2:end-->
$http->check_cache('HomePage', 'show');
store_cache(): void
Saves the generated page content to cache file.**Features:
- Retrieves output buffer content
-
|| ||Saves to cache file with proper permissions - Records cache metadata in database
- Only executes if caching flag is set and user is anonymous
**Example:
php<!--markup:1:end-->** <!--markup:2:begin-->
$http->store_cache();
---- <!--markup:1:begin-->|| ||<!--markup:1:end--> ===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##invalidate_page($page): int## ===== Invalidates all cached versions of a page. **Parameters: <!--markup:1:begin-->|| ||<!--markup:1:end-->** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##$page## (string) - Page name to invalidate **Returns: <!--markup:1:begin-->|| ||<!--markup:1:end-->** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> Number of cache entries invalidated **Process: <!--markup:1:begin-->|| ||<!--markup:1:end-->** 1.** <!--markup:1:begin-->|| ||<!--markup:1:end--> Finds all cached versions (different methods/languages) 2. <!--markup:1:begin-->|| ||<!--markup:1:end--> Touches files to past timestamp (faster than deletion) 3. Removes entries from cache metadata table 4. <!--markup:1:begin-->|| ||<!--markup:1:end--> Returns count of invalidated caches **Example: <!--markup:1:begin-->|| ||<!--markup:1:end-->**
$count = $http->invalidate_page('HomePage');
echo "Invalidated $count cache entries";
---- ==== <!--markup:1:begin-->|| ||<!--markup:1:end--> TLS/HTTPS Security ==== ===== ##secure_base_url(): void## ===== Switches base URL from HTTP to HTTPS. **Purpose: <!--markup:1:begin-->|| ||<!--markup:1:end-->** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> Ensures all subsequent URLs use HTTPS - <!--markup:1:begin-->|| ||<!--markup:1:end--> Stores original HTTP URL for fallback - <!--markup:1:begin-->|| ||<!--markup:1:end--> Called when TLS session is detected **Example: <!--markup:1:begin-->|| ||<!--markup:1:end-->** <!--markup:1:begin-->|| ||
<!--markup:2:end-->
$http->secure_base_url();
// $db->base_url now uses https://
ensure_tls($url): void
Enforces **Parameters:
- **
|| ||$url(string) - URL to secure
Behavior:
- **
|| ||If not already HTTPS and TLS is enabled, forces HTTPS redirect -
|| ||Handles both relative and absolute URLs -
|| ||Converts relative URLs using current server name
**Example:
php<!--markup:1:end-->** <!--markup:2:begin-->
---- <!--markup:1:begin-->|| ||<!--markup:1:end--> ==== IP Address Detection ==== ===== ##real_ip(): string## (Private) ===== Detects client's real IP address accounting for proxies. **Proxy <!--markup:1:begin-->|| ||<!--markup:1:end--> Headers Checked (in order):** 1.** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##HTTP_X_CLUSTER_CLIENT_IP## 2. <!--markup:1:begin-->|| ||<!--markup:1:end--> ##HTTP_X_FORWARDED_FOR## (or custom header) 3. ##HTTP_CLIENT_IP## 4. <!--markup:1:begin-->|| ||<!--markup:1:end--> ##HTTP_X_REMOTE_ADDR## 5. <!--markup:1:begin-->|| ||<!--markup:1:end--> ##REMOTE_ADDR## (fallback) **Features: <!--markup:1:begin-->|| ||<!--markup:1:end-->** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> Filters out private/reserved IP ranges - <!--markup:1:begin-->|| ||<!--markup:1:end--> Respects configured reverse proxy addresses - Returns ##'...'## as fallback **Configuration <!--markup:1:begin-->|| ||<!--markup:1:end--> in Database:** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##reverse_proxy_addresses## - Comma/space-separated proxy IPs - <!--markup:1:begin-->|| ||<!--markup:1:end--> ##reverse_proxy_header## - Custom header name (default: ##X-Forwarded-For##) **Example: <!--markup:1:begin-->|| ||<!--markup:1:end-->** <!--markup:1:begin-->|| ||
<!--markup:2:end-->
$client_ip = $http->ip; // e.g., "23..113.42"
HTTPS Detection
tls_session(): bool (Private)
Detects if current connection uses HTTPS/TLS.Checks (any being true = HTTPS):
-
$_SERVER['HTTPS']is 'on' -
$_SERVER['SERVER_PORT']is 443 -
$_SERVER['HTTP_X_FORWARDED_PROTO']is 'https' -
$_SERVER['HTTP_X_FORWARDED_SSL']is 'on' -
$_SERVER['HTTP_X_FORWARDED_PORT']is 443
Security Headers
http_security_headers(): void
Sets security-related HTTP headers.
Headers Set:
| Header | Purpose | Config Key |
|---|---|---|
| Content-Security-Policy | XSS/injection protection | csp |
| Permissions-Policy | Control browser features | permissions_policy |
| Referrer-Policy | Control referrer information | referrer_policy |
| Strict-Transport-Security | Force HTTPS | Auto (TLS only) |
| X-Frame-Options | Clickjacking protection | Hardcoded: SAMEORIGIN |
| X-Content-Type-Options | MIME sniffing prevention | Hardcoded: nosniff |
CSP Configuration Options:
-
- Disabled -
1- Default policy (fromcsp.conf) -
|| ||2- Custom policy (fromcsp_custom.conf)
Example: <!
php<!--markup:1:end-->** <!--markup:2:begin-->
$http->http_security_headers();
---- <!--markup:1:begin-->|| ||<!--markup:1:end--> ==== HTTP Methods ==== ===== ##redirect($url, $permanent = false): void## ===== Performs an HTTP redirect. **Parameters: <!--markup:1:begin-->|| ||<!--markup:1:end-->** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##$url## (string) - Target URL - <!--markup:1:begin-->|| ||<!--markup:1:end--> ##$permanent## (bool) - Use 31 (permanent) vs 32 (temporary) **Features: <!--markup:1:begin-->|| ||<!--markup:1:end-->** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> Decodes ##&## entities to prevent broken redirects - Only works if headers not yet sent - <!--markup:1:begin-->|| ||<!--markup:1:end--> Uses output buffering to work anywhere in page processing **Example:**
$http->redirect('http://example.com/new-page', true); // 31
$http->redirect('/wiki/HomePage'); // 32
---- <!--markup:1:begin-->|| ||<!--markup:1:end--> ===== ##terminate(): void## ===== Safe exit/die with cleanup. **Cleanup Operations:** - Saves diagnostic logs to session flash data - Ends script execution **Example:**
$http->terminate();
---- ===== ##status($code): void## ===== Sets HTTP response status code. **Supported Status Codes:**
2 => 'OK'
26 => 'Partial Content'
31 => 'Moved Permanently'
32 => 'Moved Temporarily'
34 => 'Not Modified'
4 => 'Bad Request'
41 => 'Unauthorized'
43 => 'Forbidden'
44 => 'Not Found'
45 => 'Method Not Allowed'
49 => 'Conflict'
41 => 'Gone'
416 => 'Requested Range Not Satisfiable'
5 => 'Internal Server Error'
51 => 'Not Implemented'
53 => 'Service Unavailable'
**Example:**
$http->status(44); // Send 44 Not Found
---- <!--markup:1:begin-->|| ||<!--markup:1:end--> ==== <!--markup:1:begin-->|| ||<!--markup:1:end--> Caching Control ==== ===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##no_cache($client_only = true): void## ===== Disables <!--markup:1:begin-->|| ||<!--markup:1:end--> caching of the current page. **Parameters: <!--markup:1:begin-->|| ||<!--markup:1:end-->** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##$client_only## (bool, default: TRUE) - <!--markup:1:begin-->|| ||<!--markup:1:end--> ##TRUE##: Disable browser cache only - <!--markup:1:begin-->|| ||<!--markup:1:end--> ##FALSE##: Disable both browser and server cache **Headers <!--markup:1:begin-->|| ||<!--markup:1:end--> Set:** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##Last-Modified: <current-time>## (always fresh) - ##Cache-Control: no-store## **Example:**
$http->no_cache(); // Client-side only
$http->no_cache(false); // Both client & server
---- <!--markup:1:begin-->|| ||<!--markup:1:end--> ===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##cache_promisc(): void## ===== Marks <!--markup:1:begin-->|| ||<!--markup:1:end--> page as publicly cacheable. **Headers Set:** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##Cache-Control: public## **Example:** <!--markup:1:begin-->|| ||
<!--markup:2:end-->
$http->cache_promisc();
Language Negotiation
user_agent_language(): string
Determines best language based on browser preferences.**Features:
- **
|| ||Follows RFC 911 section 12.5.4 (HTTP Accept-Language) -
|| ||ParsesAccept-Languageheader with quality factors - Attempts exact match first, then language fallback
-
|| ||Falls back to default system language
**Example
** <!--markup:1:begin-->|| ||<!--markup:1:end--> Accept-Language: en-US,en;q=.9,de;q=.8
Returns:
- **
|| ||Language code (e.g., 'en', 'en-US', 'de')
Returns
**Parameters:
- **
|| ||$subset(bool, default: TRUE) -
|| ||TRUE: Only allowed languages -
FALSE: All available languages
**Features:
- Scans
LANG_DIRfor language files -
|| ||Filters byallowed_languagesconfig if set - Caches result in session
- System language always included
**Returns:
- **
|| ||Associative array:['en' => 'en', 'de' => 'de', ...]
**Example:
php<!--markup:1:end-->** <!--markup:2:begin-->
$allowed = $http->available_languages(true);
---- ==== <!--markup:1:begin-->|| ||<!--markup:1:end--> File Serving ==== ===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##sendfile($path, $filename = null, $age = null): void## ===== Serves files with proper HTTP headers and caching. **Parameters:** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##$path## (string) - File path (or HTTP_XXX constant for error pages) - <!--markup:1:begin-->|| ||<!--markup:1:end--> ##$filename## (string, optional) - Custom download filename - ##$age## (int, optional) - Cache age in days **Features: <!--markup:1:begin-->|| ||<!--markup:1:end-->** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> HTTP range request support (partial file downloads) - <!--markup:1:begin-->|| ||<!--markup:1:end--> ETag and Last-Modified conditional requests - Proper MIME type detection - Content-Security-Policy for special file types - <!--markup:1:begin-->|| ||<!--markup:1:end--> Streaming for large files - <!--markup:1:begin-->|| ||<!--markup:1:end--> GZip compression for text files **Special Paths:** <!--markup:1:begin-->|| ||
<!--markup:2:end-->
$http->sendfile(44); // Serves file defined by HTTP_44 constant
$http->sendfile(43); // Serves file defined by HTTP_43 constant
**Example:
php<!--markup:1:end-->** <!--markup:2:begin-->
---- ===== ##mime_type($path): string## ===== Returns <!--markup:1:begin-->|| ||<!--markup:1:end--> MIME type for a file. **Returns:** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> MIME type string (e.g., 'application/pdf') - <!--markup:1:begin-->|| ||<!--markup:1:end--> Default: ##'application/octet-stream'## **Example: <!--markup:1:begin-->|| ||<!--markup:1:end-->** <!--markup:1:begin-->|| ||
<!--markup:2:end-->
$mime = $http->mime_type('file.pdf'); // 'application/pdf'
===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##mime_types(): array## (Private) =====
Loads
**Features:
- Reads from
config/mime.types -
|| ||Caches tocache/config/mime.types - Reloads if config is updated
Compression
===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##gzip(): void## =====Compresses HTTP response with gzip/x-gzip.
Features:
- Manually implements gzip (not relying on zlib.output_compression)
- Produces correct
Content-Lengthheader - Only compresses if:
- 86 bytes < content < 1 MB
- Client accepts compression
- Headers not already sent
Example:
$http->gzip();
Utility Methods
parse_str($str): array (Private)
Parses URL-encoded strings with special character handling.Purpose:
- Safely handles special characters in query/form data
- Converts encoding properly
**Example:
php<!--markup:1:end-->** <!--markup:2:begin-->
---- <!--markup:1:begin-->|| ||<!--markup:1:end--> ===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##request_uri(): string## (Private) ===== Extracts and normalizes REQUEST_URI from server. **Normalization:** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> Removes base URL prefix - Removes spaces - <!--markup:1:begin-->|| ||<!--markup:1:end--> Collapses multiple slashes - <!--markup:1:begin-->|| ||<!--markup:1:end--> Removes ##..## path traversal attempts - Removes leading/trailing slashes ---- <!--markup:1:begin-->|| ||<!--markup:1:end--> ===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##cut_prefix($prefix, $path): string## (Private) ===== Removes prefix from path (case-insensitive). ---- <!--markup:1:begin-->|| ||<!--markup:1:end--> ===== <!--markup:1:begin-->|| ||<!--markup:1:end--> ##get_header_conf($file_name): string## (Private) ===== Loads security header configuration from files. **Files <!--markup:1:begin-->|| ||<!--markup:1:end--> Supported:** -** <!--markup:1:begin-->|| ||<!--markup:1:end--> ##csp.conf## / ##csp_custom.conf## - <!--markup:1:begin-->|| ||<!--markup:1:end--> ##permissions_policy.conf## / ##permissions_policy_custom.conf## ---- <!--markup:1:begin-->|| ||<!--markup:1:end--> ===Configuration Dependencies=== The class relies on these database configuration settings: <!--markup:1:begin-->|| ||<!--markup:1:end--> <!--markup:2:begin-->#| *|<!--markup:2:end--> Setting | Type | Purpose | <!--markup:1:begin-->|| || ---------<!--markup:1:end-->* || ##base_url## | string | Wiki's base URL || || ##tls## | bool | Enable HTTPS enforcement || || ##cache## | bool | Enable page caching || || ##cache_ttl## | int | Cache lifetime in seconds || || ##session_store## | int | 1=File, =Database || || ##system_seed_hash## | string | Session encryption seed || || ##cookie_prefix## | string | Session cookie prefix || || ##cookie_path## | string | Cookie path || || ##allow_persistent_cookie## | bool | Allow persistent login || || ##session_length## | int | Session lifetime in seconds || || ##reverse_proxy_addresses## | string | Comma/space-separated proxy IPs || || ##reverse_proxy_header## | string | Custom X-Forwarded header || || ##language## | string | Default language code || || ##multilanguage## | bool | Enable language negotiation || || ##allowed_languages## | string | Comma/space-separated allowed langs || || ##enable_security_headers## | bool | Send security headers || || ##csp## | int | CSP setting (/1/2) || || ##permissions_policy## | int | Permissions-Policy setting (/1/2) || || ##referrer_policy## | int | Referrer-Policy setting (-8) || <!--markup:1:begin-->||<!--markup:1:end--> <!--markup:2:begin-->|#<!--markup:2:end--> ---- <!--markup:1:begin-->|| || === Constants Used === || ||<!--markup:1:end--> <!--markup:2:begin-->===Constants Used=== #| *|<!--markup:2:end--> Constant | Type | Purpose | <!--markup:1:begin-->|| || ----------<!--markup:1:end-->* || <!--markup:1:begin-->------ | --------- ||<!--markup:1:end--> ##IN_WACKO## | bool | Security check (exit if not defined) || || ##CHMOD_SAFE## | int | File permissions for cache files || || ##CHMOD_FILE## | int | File permissions for config cache || || ##CACHE_PAGE_DIR## | string | Page cache directory || || ##CACHE_SESSION_DIR## | string | Session cache directory || || ##CACHE_CONFIG_DIR## | string | Config cache directory || || ##CONFIG_DIR## | string | Configuration directory || || ##LANG_DIR## | string | Language files directory || || ##DAYSECS## | int | Seconds in a day (864) || || ##HTTP_44## | string | Path to 44 error page || || ##HTTP_43## | string | Path to 43 error page || |# ---- === Workflow Examples === <!--markup:1:begin-->==== Example<!--markup:1:end--> <!--markup:2:begin-->====Example<!--markup:2:end--> 1: Handling a GET Request====
// In main wiki entry point
$http = new Http($db);
$http->session(); // Start session
// Check if page can be served from cache
$http->check_cache('HomePage', 'show');
// ... render page content ...
// Store rendered page in cache if applicable
$http->store_cache();
// Send security headers
$http->http_security_headers();
// Possibly compress output
$http->gzip();
==== Example 2: Handling TLS/HTTPS Upgrade ====
$http = new Http($db); // Constructor detects TLS requirement
// If TLS is enabled and user wasn't in TLS before:
// - Sets TLS session flag
// - Marks session with TLS cookie
// - Redirects to HTTPS version
==== Example 3: Invalidating Cache After Page Edit ====
// User edits a page
$http = new Http($db);
$count = $http->invalidate_page('HomePage');
// All cached versions (different languages, methods) are invalidated
==== Example 4: Serving a File ==== <!--markup:1:begin-->
<!--markup:2:end-->
$http = new Http($db);
$http->session(2); // Static file mode - no session replay prevention
// Serve with 3-day cache
$http->sendfile('uploads/manual.pdf', 'user-manual.pdf', 3);
Security Considerations
1. IP Address Spoofing
- Validates IPs against private ranges
- Filters proxy-provided IPs appropriately
- Configurable reverse proxy trust
2. Session Security
- Binds sessions to IP address
- Binds sessions to TLS status
- Supports both file and database storage
- HttpOnly cookies by default
3. TLS Enforcement
- Automatic HTTPS upgrade when configured
- Marks TLS sessions to prevent downgrade attacks
- HSTS header support
4. Content Security
- CSP headers to prevent XSS
- X-Frame-Options to prevent clickjacking
- X-Content-Type-Options to prevent MIME sniffing
- Referrer-Policy control
- Permissions-Policy for browser features
5. File Serving
- Validates file existence and readability
- Prevents directory traversal via
realpath() - Rejects symbolic links
- Special CSP for SVG and PDF files
6. Cache Security
- Cached only for anonymous users
- Disabled for sensitive operations (edit, watch)
- Only GET requests cached
Performance Optimization
1. Page Caching
- Stores full HTML output
- TTL-based expiration
- Language and method-aware caching
- Conditional request support (34 Not Modified)
2. MIME Type Caching
- Loads MIME types once and caches
- Regenerates only when config changes
3. Session Options
- File-based sessions for simple deployments
- Database sessions for distributed systems
4. Compression
- Manual gzip implementation
- Proper Content-Length generation
- Only compresses appropriate sizes
Debugging
The class integrates with WackoWiki's diagnostic system:
<!
php<!--markup:1:end--> <!--markup:2:begin-->
// Diagnostic messages are preserved across redirects
// via session flash data
// Check cached pages (debug comments in output):
// <!-- WackoWiki Caching Engine: page cached at 224-1-15 12:3:45 GMT -->
%%
Related Classes
- Session Classes (
SessionFileStore,SessionDbalStore) - Session management backends - Database Class - Configuration and cache metadata storage
- Ut Utility Class - String/path utilities
- Diag Class - Diagnostic logging
Version History
- Supports PHP 8.+ (uses match expressions, union types)
- Follows RFC 911 for HTTP header handling
- Modern cookie security practices
Conclusion
The
Http class is the central request/response handler in WackoWiki, managing everything from session initialization to security headers to file serving. Understanding this class is essential for:- Extending WackoWiki with custom request handlers
- Implementing custom session logic
- Adding new security policies
- Optimizing cache strategies
- Debugging HTTP-related issues